CT-Ops

Certificates

How CT-Ops tracks TLS certificates, URL monitoring status, uploaded certificate replacements, and expiry posture.

The Monitoring -> Certificates menu item opens /certificates. Use this page to review TLS certificate expiry posture across discovered certificates, URL-monitored imports, and manually uploaded certificate records.

Certificate sources

CT-Ops shows the source and monitoring state for each certificate in the inventory table:

Monitoring labelMeaning
Agent discoveredThe certificate was reported by a monitored host or check.
UploadedAn operator uploaded or pasted certificate material and CT-Ops is tracking it as a static expiry reminder.
URL monitoredCT-Ops re-checks a TLS endpoint on a schedule and records the latest refresh state.

For URL-monitored certificates, the table shows whether the last refresh succeeded, is waiting for the first check, or failed. A refresh failure does not erase the previous certificate details, so expiry reminders continue to work from the last known certificate.

Expiry thresholds

Instance administrators can configure the certificate expiry windows from Settings -> Instance at /settings.

SettingMeaning
Warning windowCertificates expiring inside this many days are marked Expiring Soon and warning-severity certificate expiry alerts use this threshold.
Critical windowCritical-severity certificate expiry alerts use this shorter threshold. It must be less than or equal to the warning window.

Changing these settings recalculates the stored certificate posture for the current instance. New agent-discovered, URL-monitored, and uploaded certificate records also use the configured warning window when CT-Ops decides whether they are valid or expiring soon.

Uploaded certificate renewal

Uploaded certificates are used when CT-Ops cannot safely re-check the endpoint, such as air-gapped services, out-of-band certificates, or certificates that are not served over a reachable TLS port.

When an uploaded certificate is re-issued, open the existing certificate detail record and use Replace certificate. Upload the renewed PEM file there rather than creating a new tracker record. CT-Ops updates the same certificate row, keeps existing CMDB and service links, and records the replacement in the event timeline.

Certificate detail

Opening a certificate shows the parsed X.509 details, fingerprint, SANs, expiry dates, CMDB link, and event timeline. Managers can link a certificate to a CMDB record, and uploaded certificates also expose the replacement workflow.